Forms Based Authentication ( FBA) in WSS 3.0 / MOSS 2007 (by MeySun)

I had an issue this week that I was unable to sign in to my personal WSS site. for some reason the popup login screen never showed. I know that my company laptop is heavily secured as well as the network. So if it was a firewall blocking or my IE settings that did not allow the logon, I didn’t care. All I needed was being able to logon to my site.


This brought me to the idea of implementing FBA for my site. I didn’t want to manage users in a SQL database etc. I just needed FBA to authenticato to Active Directory. I stumbled upon a great blog post by meysun (aka Meyyappan Meenakshisundaram).


Here is what he wrote:


1. Configure SharePoint Central Admin 



  • Login to SharePoint Central Admin
  • Go to Application Management / Application Security / Authentication Providers and Change the Web Application to the one which needs to be configured for Forms Based Authentication
  • Click zone / default, change authentication type to forms and enter ActiveDirectoryMembershipProvider under membership provider name ( for example , “ADMembershipProvider”) and save this change

2.Update the web.config of SharePoint Central admin site
 


under <configuration> node


<connectionStrings>
<add name=”ADConnectionString” connectionString=”LDAP://DynamicsAX.local/CN=Users,DC=DynamicsAX,DC=local” />
</connectionStrings>


under <system.web> node


<membership defaultProvider=”ADMembershipProvider”>
<providers>
<add name=”ADMembershipProvider”
type=”System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a” connectionStringName=”ADConnectionString”
connectionUsername=”xxx” connectionPassword=”yyy”
enableSearchMethods=”true”
attributeMapUsername=”sAMAccountName”/>
</providers>
</membership>


replace the connectionstring to the one matching your encvironment and replace”xxx” with domainname\username and “yyy” with password


 


3.Update the web.config of SharePoint Web application



  •  Repeat step 2 for the web.config of the SharePoint webapplication to be configured for Forms Based Authentication
  •  Change the authentication in web.config to
    <authentication mode=”Forms”>
        <forms loginUrl=”/_layouts/login.aspx”></forms>
    </authentication>

For more details
http://technet2.microsoft.com/Office/en-us/library/23b837d1-15d9-4621-aa0b-9ce3f1c7153e1033.mspx?mfr=true
http://msdn2.microsoft.com/en-us/library/ms998360.aspx


So, Thanks meysun for your post. It really helped me out !

9 thoughts on “Forms Based Authentication ( FBA) in WSS 3.0 / MOSS 2007 (by MeySun)

  1. Dirk,

    A little remark. In your connection string part, you have forgotten the closing quote. It must be:

    I know it’s a detail ! Still nice post.

  2. Cedric,

    nice catch 🙂

    The worst part is that I have implemented this already twice and each time I had a xml web.config formatting error because of the missing double quote ….

  3. Hello Dirk,

    How are you?

    I tried the above steps and configured a site as per the instructions. It gives me an error as below:

    The container specified in the connection string does not exist. (C:\Inetpub\wwwroot\wss\VirtualDirectories\testmercury.jumeirah.com80\web.config line 112)

    testmercury.jumeirah.com is the name of the sharepoint web app.

    My web.config around the above mentioned line numbers is as follows:

    108: <membership defaultProvider=”ADMembershipProvider”>

    109:   <providers>

    110:     <add

    111:         name=”ADMembershipProvider”

    112:  type=”System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a”  

    113: connectionStringName=”ADConnectionString”

    114: connectionUsername=”domainname\username”  

    115: connectionPassword=”password”  

    116: enableSearchMethods=”true”  

    117: attributeMapUsername=”sAMAccountName”/>

    118:  </providers>

    119: </membership>

  4. Hi Noel,

    been there, done that 🙂

    The error message is pointing you in the wrong direction. As a matter of fact the error is located in the line:

    <add name=”ADConnectionString” connectionString=”LDAP://DynamicsAX.local/CN=Users,DC=DynamicsAX,DC=local” />

    It means that the LDAP path that is specified is incorrect. The most common reason for that is when you are using another OU container instead of the Users container in your domain. This is because of the fact that the LDAP path for the Users container is slightly differnet as a normal OU container.

    My suggestion to you is to look at the correct LDAP path for your container using ADSIEDIT (which is part of the support tools package)

    The correct ldap path for you depends on how your Active Directory is set up.

    E.g. let’s say you have an Active Directory domain called contoso.com and you want to authenticate your FBA users that who are all located in the default Users conatiner in AD, then your LDAP path should be LDAP://contoso.com/CN=Users,DC=contoso,DC=com

    If you have all your users in another OU that you have created yourself e.g. MyUsers then your LDAP path would be LDAP://contoso.com/OU=MyUsers,DC=contoso,DC=com

    Notice that the name of your OU is now preceded by OU= instead of CN=. Which is exactly what I meant by the different LDAP path for the Users container.

    I hope this helps you out and best of luck

  5. I’ve the authentication set up for my SharePoint site, but it seems it won’t resolve usernames in the Central Administration when trying to change the Site Collection Administrators. I’ve googling for this, but haven’t found anything much relevant to this particular problem. Any ideas on what to look for?

Leave a Reply

Your email address will not be published. Required fields are marked *